Deprecation Notice: Update Outbound Rules for Microsoft Defender for Containers
Defender for CloudMicrosoft
Update from:October 2025
Deprecation Notice: Update Outbound Rules for Microsoft Defender for Containers
Microsoft Defender for Containers updated the outbound network requirements for the Defender sensor. You must update your outbound rules to maintain proper functionality.
This change affects all subscriptions using Microsoft Defender for Containers. If you're not using the Defender sensor, no action is required.
Beginning now, the Defender for Containers sensor requires outbound traffic to the following fully qualified domain name (FQDN) and port:
*.cloud.defender.microsoft.com (HTTPS: port 443)
Recommended Actions
- Add the new FQDN and port to your allowed traffic in your outbound restriction method, such as a proxy or firewall.
- If you don't block egress traffic from your clusters, no action is required.
- To verify connectivity to Microsoft Defender for Containers endpoints, run the connectivity test script to confirm network accessibility from your cluster.
Deadline
To avoid service disruption, complete any necessary updates of GKE and EKS by September 30, 2026. If no action is taken where required, the Defender for Containers sensor won't function as expected.
GitHub Application Permissions Update
October 23, 2025
Defender for Cloud is updating its GitHub connector to request a new permission: artifact_metadata:write. This enables new capabilities that support artifact attestations - providing verifiable build provenance and strengthening your software supply chain security. The permission is narrowly scoped, aligning with least privilege principles to support faster and easier security approvals.
How to approve the new permission:
- Via GitHub settings: In your GitHub organization, go to Settings > GitHub Apps, select the Microsoft Security DevOps application, and approve the pending permission request.
- Via email (for organization owners): GitHub sends an automated email to organization owners with the subject "Review permissions request for Microsoft Security DevOps". Click Review permission request to approve or reject the change.
Didn’t get the email? Only GitHub organization owners receive this notification. If you're not an owner, please contact one in your organization to approve the request via GitHub settings.
Note: existing connectors will continue to work without this permission, but the new functionality will only be available once the permission is approved.
